We present an algebraic construction based on state transform matrix (companion matrix) for n×n (where n≠2k, k being a positive integer) binary matrices with high branch number and low number of fixed points. We also provide examples for 20×20 and 24×24 binary matrices having advantages on implementation issues in lightweight block ciphers and hash functions. The powers of the companion matrix for an irreducible polynomial over GF(2) with degree 5 and 4 are used in finite field Hadamard or circulant manner to construct 20×20 and 24×24 binary matrices, respectively. Moreover, the binary matrices are constructed to have good software and hardware implementation properties. To the best of our knowledge, this is the first study for n×n (where n≠2k, k being a positive integer) binary matrices with high branch number and low number of fixed points.
1. Introduction
Modern block ciphers are made of several rounds. Each of these consists of confusion and diffusion layers. Confusion and diffusion are two principles of the operation of a secure cipher as identified by Shannon [1]. Many block ciphers use linear transformations together with nonlinear substitution boxes (S-boxes) to implement Shannon’s principles. In addition, many block ciphers use S-boxes based on the inversion mapping in a finite field [2, 3]. In a block cipher, a linear transformation is employed to provide the required diffusion. The linear transformation guarantees all the output bits to depend on all the input bits after few rounds. The substitution layer or nonlinear layer provides the necessary confusion making this dependency complex and nonlinear [4]. A linear transformation provides diffusion by mixing bits of the fixed size input block to produce the corresponding output block of the same size [5]. The two existing techniques of measuring diffusion for linear transformations are the branch number [6] and the number of fixed points [5]. The branch number denotes the minimum number of active S-boxes for any two consecutive rounds and represents diffusion rate and measures security against linear and differential cryptanalysis. To achieve better diffusion property, many modern ciphers use linear transformations with high branch number. On the other hand, the number of fixed points provides an indication of how well the linear transformation effectively changes the value of the input block when producing the output block. The basis of the idea is that there is no diffusion at fixed points since the input blocks at these points are left intact by the linear transformation. Note that the expected number of fixed points in a random linear transformation is one [5].
Many block ciphers use maximum distance separable (MDS) and maximum distance binary linear (MDBL) codes as diffusion layers in their round function. The AES [7] and Khazad [8] use MDS codes; the Camellia [9] and ARIA [10] use MDBL codes. It is known that MDS matrices do not give a compact implementation in hardware, for example, AES. Most diffusion layers are linear transformations having matrix representations over GF(2m) or GF(2). The binary matrices, having matrix representation over GF(2), are employed as diffusion layers in block ciphers like Camellia and ARIA. An advantage of using such binary matrices in the design of block ciphers compared with MDS codes is the implementation phase where only XOR operations are needed while MDS matrices may need XOR operations, table look-ups, and xtime calls [11]. Furthermore, the 8×8 and 16×16 binary matrices used in Camellia and ARIA have the maximum branch numbers 5 and 8, respectively, and are therefore called MDBL codes [4]. In [12, 13], an algebraic construction method to generate 8×8, 16×16, and 32×32 binary matrices of maximum branch number was given. There is no general method for n×n binary matrices where n≠2k, k being a positive integer. Constructing diffusion layers with high branch numbers, low number of fixed points, and low-cost hardware/software implementations is an open problem for lightweight block ciphers and hash functions.
In recent years, lightweight cryptography has attracted a lot of attention from the crypto community since the use of resource constraint devices has been increasing. There are several lightweight block cipher constructions with 80-bit and 96-bit block sizes in the literature [14–17]. However, these proposals neglect important real-world constraints except a small chip area and they have different deficiencies as listed below:
the lack of efficiency on low-cost processors,
a vast amount of program memory storage,
high execution times due to the high number of rounds,
the lack of security assessment in detail.
The wide-trail strategy is one of the important approaches to design round transformations of block ciphers that combine efficiency and resistance against linear and differential cryptanalysis. It results in simple and strong security arguments. However, this approach does not help in designing efficient diffusion layers (with a suitable number of active S-boxes). In this respect, the diffusion layers constructed and the method given in this study aim to provide an alternative structure for the block ciphers with input size different than 2k.
In this study, an algebraic method based on state transform matrix (companion matrix) to construct binary matrices with good implementation properties for lightweight block ciphers and hash functions is given. The emphasis is given to n×n binary matrices where n≠2k and k is a positive integer. The proposed method can also be considered as a generalization and different interpretation of the methods given in [12, 13] since it works for any n. This method uses 4×4 finite field Hadamard (FFHadamard) matrices with the powers of the companion matrix for an irreducible polynomial over GF(2) of degree 5 and 6×6 circulant matrices with the powers of the companion matrix for an irreducible polynomial over GF(2) of degree 4 to generate 20×20 (involutory and noninvolutory) and 24×24 binary matrices (noninvolutory) of branch numbers 8 and 10 with low number of fixed points, respectively. Also, the binary matrices are constructed to have suitable software and hardware implementation properties for lightweight block ciphers. Note that the binary matrices with these sizes have not been studied in the literature well enough, which may allow us to design a lightweight block cipher with 80-bit and 96-bit block sizes if these matrices are used with 4-bit S-boxes.
This paper is organized as follows: Section 2 describes the required mathematical background and an introduction to the proposed method. In Section 3, the proposed method is given and examples are provided with good cryptographic properties. Security assessment of lightweight block cipher using the proposed diffusion layer is analyzed in Section 4. Conclusion is given in Section 5. In Appendices A, B, and C implementation details of given examples are discussed.
2. Preliminaries
In this section, we give the mathematical background and a view of the proposed method.
Let GF(2m)≅GF(2)/p(x), where p(x)=amxm+⋯+a1x+a0 is an irreducible polynomial over GF(2) with degree m. Let Cm be the companion matrix for the irreducible polynomial over GF(2) with degree m. The powers of Cm can be considered as the nonzero elements of GF(2m) [18, 19]. Then, the matrix Cm can be viewed as a polynomial, that is, M:x,M2:x2,…. This is the core part of the proposed method. Note that this multiplication is modulo p(x) and rank of these matrices is the extension degree m. The identity matrix can be obtained by Cm2m-1(1)Cm=00⋯0a010⋯0a101⋯0a2⋮⋮⋱⋮⋮00⋯1am-1.
In this study we focus on the finite fields GF(24) and GF(25), where the irreducible polynomials over GF(2) are, respectively, x4+x+1 and x5+x2+1. Now we give an example on how to obtain the elements of GF(24).
Example 1.
Let GF(24)≅GF(2)/p(x), where p(x)=x4+x+1 is the irreducible polynomial over GF(2). Then,
6×6 matrices with the elements of C4i, where 1≤i≤24-1, can be transformed to 24×24 binary matrices by substituting the powers of C4 with their corresponding 4×4 binary matrices. Similarly, 4×4 matrices with the elements of C5i, where 1≤i≤25-1, can be transformed to 20×20 binary matrices by substituting the powers of C5 with their corresponding 5×5 binary matrices.
Now we recall some facts on the linear transformations. The linear transformations of diffusion layers used in most block ciphers are represented as matrices. Hence, a linear transformation A:({0,1}m)n↦({0,1}m)n can be defined as follows:
(3)Ax=A·xT=a11a12⋯a1na21a22⋯a2n⋮⋮⋱⋮an1an2⋯ann·x1x2⋮xn,
where x=(x1,x2,…,xn)T and xi∈{0,1}m, i=1,…,n. Also n represents the number of S-boxes in a diffusion layer A, where the size of each input and output is m-bit [4].
Definition 2 (see [<xref ref-type="bibr" rid="B8">6</xref>]).
The differential and linear branch numbers of an n×n matrix A:({0,1}m)n↦({0,1}m)n are defined by
(4)BdA=minwtx+wtA·xT∣x∈0,1mn-0,BlA=minwtx+wtAT·xT∣x∈0,1mn-0,
where wt(x) is the number of nonzero components in x, respectively.
Definition 3.
Let n be a power of 2. An n×n finite field Hadamard (FFHadamard) matrix with the elements of GF(2m) can be given as follows:
(5)hada1,a2,…,an=a1a2⋯an-1ana2a1⋯anan-1⋮⋮⋱⋮⋮anan-1⋯a2a1.
Remark 4.
Note that one can also divide the FFHadamard matrix into the submatrices. For example, for 4×4 FFHadamard matrix, we have had(a1,a2,a3,a4)=ABBA, where A=a1a2a2a1 and B=a3a4a4a3. The matrices A and B have Toeplitz matrix properties. We use this observation while constructing a diffusion layer.
Definition 5.
An n×n circulant matrix with the elements of GF(2m) can be given as follows:
(6)circa1,a2,…,an=a1a2⋯an-1anana1⋯an-2an-1an-1an⋯an-3an-2⋮⋮⋱⋮⋮a2a3⋯ana1.
Note that Remark 4 is also applicable in this case. In Lemma 6, the construction of involutory 4×4 FFHadamard matrix is given.
Lemma 6.
Let A be a 4×4 FFHadamard matrix with distinct elements of GF(2m)-{0}. Then A is involutory if and only if ∑i=14ai=1.
Proof.
The identity matrix satisfies ∑i=14ai2=1 and ∑i=14ai=1. Since A is unitary (A-1=A) and symmetric (A=AT), the matrix A is involutory:
(7)A2=a1a2a3a4a2a1a4a3a3a4a1a2a4a3a2a1·a1a2a3a4a2a1a4a3a3a4a1a2a4a3a2a1=∑i=14ai20000∑i=14ai20000∑i=14ai20000∑i=14ai2.
In this study, 20×20 binary matrices are constructed by using 4×4 FFHadamard matrices with the elements of GF(25) and also 24×24 noninvolutory binary matrices are constructed by using 6×6 matrices with the elements of GF(24). The 20×20 binary matrices constructed are both involutory and noninvolutory with minimum number of fixed points. Involutory transformations can make the decryption process the same as the encryption process. Thus the encryption and decryption can be implemented by the same module and with equal speeds. However, noninvolutory transformations constructed in this study are aimed at having close encryption and decryption speeds. An input block is a fixed point of a transformation if the input block equals its output block. Clearly, in this context, there is no diffusion at the fixed points since the input blocks at these points are left intact by the linear transformation. Therefore, if the number of fixed points in a linear transformation greatly exceeds the expected number for a random linear transformation, then this is an indication of poor diffusion of the linear transformation. Note that the expected number of fixed points in a random linear transformation is one [5]. Consider an input block to a linear transformation formed by m-bit values in the field GF(2m) and let the linear transformation matrix be an n×n matrix A=(aij)n×n, where aij∈GF(2) or aij∈GF(2m) and I is an n×n identity matrix. Then, the set of all fixed points for that linear transformation, which can be represented by a nonsingular matrix A, can be obtained by solving the following equation: (A+I)·xT=0, where 0 is the all zero vector of length n. Hence, the number of fixed points can be given as
(8)FA=2m(n-rank(A+I)).
It is obvious that if the matrix (A+I) has bigger rank, the matrix A has lower number of fixed points.
Remark 7.
The existence of fixed points in the round function of block ciphers is used as the basis for some cryptographic attacks and these attacks use fixed points that exist across one or more rounds [5]. The block ciphers DES, SAFER K, Blowfish, GOST, DEAL, and KeeLog were previously found vulnerable to attacks based on the existence of fixed points [20–23]. For SPN ciphers, the existence of fixed points in a linear transformation hints at the presence of 1-round self-iterating differential characteristic. It should be also noted that not all fixed points are useful in constructing a self-iterating characteristic. The usefulness of a fixed point, in this case, depends on its interaction with the subsequent nonlinear transformation. If the input difference is a fixed point, then the linear transformation will replicate this difference into the same S-boxes in the next round. In this context, when designing a block cipher, the linear transformation should be considered with the S-boxes and self-iterating characteristics should be searched. The designer should decide on the number of rounds of the block cipher according to some further investigations (e.g., the resistance of the linear transformation against other attacks like impossible differential cryptanalysis and truncated differential cryptanalysis). To ensure that the large number of fixed points does not trigger an attack to the cipher where the construction is used as a building block depends on the cipher. What we expect is that the cipher itself should behave like a random permutation. Therefore, if the cipher itself does not have many fixed points then it would be almost impossible to exploit the large number of fixed points of the matrix used in the cipher. Therefore, the other building blocks of the cipher should not leverage and extend the fixed points of the matrix to the high level structure of the cipher. Otherwise the cipher may be vulnerable to some self-similarity attack such as reflection attacks.
3. The Proposed Method
In this section, we explain our strategy by using the definitions given in Section 2. Then, we give algebraic construction of 20×20 and 24×24 binary matrices. The construction procedure has four main steps.
Step 1. Construct companion (state transform) matrix Cm for a given irreducible polynomial p(x) of degree m. Note that Cm is an m×m matrix.
Step 2. Choose some integers si’s with 1≤si≤2m-1 and compute the corresponding Cmsi’s. Note that the selection of si’s depends on the Hamming weight of each row of the big matrix D.
Step 3. Construct D by using had(Cms1,Cms2,…,Cmsl) or circ(Cms1,Cms2,…,Cmsl), where l is a positive integer. Choose matrix D whose Hamming weight of the each row is as small as possible. This condition helps us to have low-cost (XOR friendly) hardware implementations.
Step 4. Check whether the branch and the number of fixed points are satisfactory.
This algorithm can be easily implemented on a computer. The results given in this study are obtained by using Magma Computational Algebra System [24]. With the help of Magma Computational Algebra System, one can evaluate hundreds of 20×20 or 24×24 binary matrices in a second.
Remark 8.
Note that the diffusion layers proposed in this study can be implemented by only XOR operations whereas other diffusion layers like MDS (maximum distance separable) matrices may use table look-ups, xtime calls, and so forth [11]. Thus, performing the proposed diffusion layers gives us better implementation properties.
3.1. Algebraic Construction of Cryptographically Good <inline-formula>
<mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M152">
<mml:mn>20</mml:mn>
<mml:mo mathvariant="bold">×</mml:mo>
<mml:mn>20</mml:mn></mml:math>
</inline-formula> Binary Matrices
The maximum branch number of n×n binary matrices is equal to the maximum distance of binary linear 2n,n codes. The exact maximum distance for n×n (n≤18) binary matrices is known. For example, the maximum branch number and also the upper bound for 8×8 matrices are 5 [4]. 20×20 binary matrix with a branch number 9 is known and the upper bound is 10 in theory. Note that there is no theoretical bound for the involutory binary matrices in view of branch number. The method presented herein is successful for generating 20×20 involutory and noninvolutory binary matrices of branch number 8. Also, 20×20 involutory and noninvolutory binary matrices are constructed such that the rank of A+I matrix is the highest achievable rank, which is 10 for 20×20 involutory binary matrices and 20 for 20×20 noninvolutory binary matrices. In Example 11, a 20×20 involutory binary matrix (ABinary=ABinary-1) is constructed from a 4×4 involutory FFHadamard matrix A that satisfies four restrictions simultaneously such that
the 4×4 matrix A should be involutory as given in Lemma 6,
the 20×20 binary matrix ABinary transformed from the 4×4 involutory matrix A should be of differential and linear branch number 8,
the 4×4 involutory matrix A should be chosen such that the rank of the (A+I) matrix should be 2, which is in fact the highest achievable rank (n/2 for an n×n involutory matrix). Since the elements of GF(25) are used to construct the 20×20 binary matrix, the rank of the matrix (ABinary+I) becomes 10. Thus, if it is used as 80-bit to 80-bit linear transformation, where each input element is in GF(24), the binary linear transformation includes 240 fixed points,
the elements 4×4 matrix A in GF(25) should be chosen such that each row and column of the transformed binary matrix should have the Hamming weight equal to 7, which provides suitable implementation properties.
Remark 9.
If we want to construct a 20×20 binary matrix of branch number 8 with minimum Hamming weight (in each row and column), then we need to focus on a binary matrix which has Hamming weight 7 in each row and column. That means in random search we should search (C(20,7))20≈2324 binary matrices whereas our search space in the proposed method is C(31,4)=31465, where 25-1=31 represents the number of 5×5 binary matrices (different elements) used in the construction and obtained by using the primitive polynomial x5+x2+1 and 4 represents the first 4 elements in Hadamard matrix. Therefore, the main idea of the method is to reduce search space and construct binary matrices of high branch number.
Remark 10.
If one wants to construct an involutory 20×20 binary matrix and uses it with 4-bit S-boxes, then the minimum number of fixed point is 240 since the rank of (D+I) matrix becomes at most 10 (or at most n/2 for an n×n involutory binary matrix). In this respect, this matrix has as possible the lowest number of fixed points. For example, the AES includes 216 fixed points though the diffusion layer of the AES (shiftrows + mixcolumns) is not involutory [5]. Noninvolutory diffusion layers may provide less number of fixed points as shown in Example 12 (one fixed point).
Example 11.
Let
(9)A=hadC531,C518,C53,C527=C531C518C53C527C518C531C527C53C53C527C531C518C527C53C518C531
be an involutory 4×4 FFHadamard matrix, which is also MDS matrix over the finite field GF(25) defined by the primitive polynomial p(x)=x5+x2+1; that is, the branch number of the 4×4 matrix is 5. It can be transformed into the 20×20 binary matrix satisfying the restrictions above as follows:(10)ABinary=1000010001001001010101000110000001011010001000110100101010000001000110100101010000001000110100101010100011000010101001001100001000110100001001101001000100000101001100001010100100100001100001010100100100100101011000010001000101101001000110000010101000001000110110010101000001000110010010101000001000111010100100100011000011010000101100001000010000010101101001001010010010001100001001010010010001100001.Note that 20×20 binary matrix, ABinary given in Example 11, requires 120 XOR operations in the implementation for both encryption and decryption. In Example 12, a 20×20 noninvolutory binary matrix is constructed from 4×4 noninvolutory matrix B that satisfies three restrictions simultaneously such that
the 20×20 binary matrix, BBinary, transformed from the 4×4 noninvolutory matrix B should be of differential and linear branch number 8,
the rank of 4×4 noninvolutory matrix B should be 4, which is in fact the highest achievable rank (n for n×n matrix). Since the elements of GF(25) are used to construct the 20×20 binary matrix, the rank of the matrix (BBinary+I) becomes 20. Therefore, if it is used as 80-bit to 80-bit linear transformation, where each input element is in GF(24), the binary linear transformation includes only one fixed point,
the elements of 4×4 matrix B in GF(25) should be chosen such that the constructed binary matrix should have suitable implementation properties.
Example 12.
Let
(11)B=hadC531,C5,C527,C59=C531C5C527C59C5C531C59C527C527C59C531C5C59C527C5C531.
be a noninvolutory 4×4 FFHadamard matrix, which is also MDS matrix over the finite field GF(25) defined by the primitive polynomial p(x)=x5+x2+1; that is, the branch number of the 4×4 matrix is 5. It can be transformed into the 20×20 binary matrix satisfying the restrictions above as follows:(12)BBinary=1000000001101010110001000100001101010110001000100101000001110001000100101001001100001000100101011001000011000001100101011000001000101101101001001001000011101000001000001010011101000001000001110010101010101011001000000001110101011001000100000100000111001000100110100100110001000100010101100100001000100110010101000011000010110110101000001000001110100001001001001001110100001000001011001010100001000001.Note that the 20×20 binary matrix BBinary given in Example 12 and the inverse of 20×20 binary matrix (Appendix A) require 124 XOR operations and 140 XOR operations in the implementation for encryption and decryption, respectively.
3.2. Algebraic Construction of Cryptographically Good <inline-formula>
<mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M240">
<mml:mn>24</mml:mn>
<mml:mo mathvariant="bold">×</mml:mo>
<mml:mn>24</mml:mn></mml:math>
</inline-formula> Binary Matrices
The exact maximum distance (upper bound) and therefore maximum branch number for 24×24 binary matrices are 12 [4]. The method presented herein is successful for generating 24×24 noninvolutory binary matrices of branch number 10. Note that there is no known 24×24 binary matrices of branch number 10 or more. 24×24 noninvolutory binary matrices are constructed such that the rank of (D+I) matrix is as possible as high rank. Also, when constructing 24×24 binary matrices, 6×6 circulant matrices with the elements of GF(24) are used. In Example 13, a 24×4 noninvolutory binary matrix is constructed from a 6×6 circulant matrix D that satisfies three restrictions simultaneously such that
the 24×24 binary matrix, DBinary, transformed from the 6×6 circulant matrix C should be of differential and linear branch number 10,
the 6×6 circulant matrix C should be chosen such that the rank of the (D+I) matrix should be 5, which is in fact the highest achievable rank satisfying the previous restriction. Since the elements of GF(24) are used to construct the 24×24 binary matrix, the rank of the matrix (DBinary+I) becomes 20. Thus, if it is used as 96-bit to 96-bit linear transformation, where each input element is in GF(24), the binary linear transformation includes 216 fixed points.
The elements of 6×6 matrix D in GF(24) should be chosen such that the constructed binary matrix should have suitable implementation properties.
Example 13.
Let
(13)D=circC47,C415,C43,C414,C411,C42=C47C415C43C414C411C42C42C47C415C43C414C411C411C42C47C415C43C414C414C411C42C47C415C43C43C414C411C42C47C415C415C43C414C411C42C47
be a 6×6 circulant matrix, which is of branch number 6 over finite field GF(24) defined by the primitive polynomial p(x)=x4+x+1. It can be transformed into the 24×24 binary matrix satisfying the restrictions above as follows:(14)DBinary=110110000100110001110010101101000110001011000011010100100011000111101001101000011001100011110100001011011000010011000111001110110100011000101100100101010010001100011110010010100001100110001111011100101101100001001100110000111011010001100010111010010101001000110001111101001010000110011000110001110010110110000100001011000011101101000110000111101001010100100011100011110100101000011001010011000111001011011000011000101100001110110100001100011110100101010010100110001111010010100001100001001100011100101101010001100010110000111011001000110001111010010101000110011000111101001010.Note that in a straight coding the 24×24 binary matrix, DBinary given in Example 13, requires 240 XOR operations in the implementation for both encryption and decryption. The required number of XOR operations can be reduced to 186 by adding 6 temporary variables to the implementation for both encryption and decryption (Appendices B and C).
4. Security Assessment of an Assumed Lightweight Block Cipher with 80-Bit or 96-Bit Block Size
In this section, we focus on the security analysis of the assumed block cipher using the proposed linear transformation. A differentially active S-box is defined as an S-box given a nonzero input difference, and a linearly active S-box is defined as an S-box given a nonzero output mask. In this study, S-boxes are assumed to be bijective mappings defined on GF(2m) and round keys are assumed to be independent and random uniform. Thus the number of active S-boxes is not affected by the key addition layer. The branch number of a diffusion layer is the minimum number of active S-boxes in the 2-round SPN (substitution permutation network). We follow the method defined in [25, 26]. Let pD and qL be the the maximum probabilities of the differential and linear characteristic for 2r-round SPN, respectively. Let pD2r≤pr·β and qL2r≤qr·β, where p, q, and β denote the maximum differential probability for the S-box, the maximum linear probability for the S-box, and branch number for the diffusion layer used in a block cipher, respectively. In this study, an SPN structure consisting of a number of rounds of the same 20 4-bit S-boxes connected by a 20×20 binary matrix is considered for 80-bit block size. Figure 1 shows one round function of an assumed block cipher. Note that the maximum differential and linear probabilities of the S-box are assumed to be 2-2 which is the best value for 4×4 S-boxes [27]. Then, the maximum probabilities of the differential, pD, and linear characteristic, qL, for 2r-round SPN are as follows:
(15)pD2r≤2-2r·βA,qL2r≤2-2r·βA,
where βA denotes the branch number of 20×20 binary matrix assumed for the lightweight block cipher demonstrated in Figure 1. The maximum differential and linear probabilities of 2-round SPN are bounded by (2-2)1·8=2-16 since the branch number of the binary matrix is assumed to be 8 and thus the number of minimum active S-box is 8 in the 2-round SPN. In Table 1, the lower bounds for the number of active S-boxes and the upper bounds for the probabilities for linear and differential probabilities in each round size are computed for the assumed block cipher of 80-bit and 96-bit block sizes.
The lower bounds for the number of active S-boxes and the upper bounds for the linear and differential probabilities for the assumed block cipher of 80-bit and 96-bit block size.
Round
The lower bounds for the number of active S-boxes
The upper bounds for the linear and differential probabilities
80-bit block cipher
96-bit block cipher
80-bit block cipher
96-bit block cipher
2
8
10
2-16
2-20
3
9
11
2-18
2-22
4
16
20
2-32
2-40
5
17
21
2-34
2-42
6
24
30
2-48
2-60
7
25
31
2-50
2-62
8
32
40
2-64
2-80
9
33
41
2-66
2-82
10
40
50
2-80
2-100
11
41
51
2-82
2-102
12
48
60
2-96
2-120
One round function of an assumed lightweight block cipher.
In this context, the minimum number of rounds needed for the lightweight block cipher with 80-bit block size to be secure against differential and linear cryptanalysis is 10 because the maximum differential and linear probabilities of 10-round SPN are bounded by (2-2)5·8=2-80≤2-80. Similarly, if an SPN structure consisting of a number of rounds of the same 24 4-bit S-boxes connected by a 24×24 binary matrix is considered for 96-bit block size, then the minimum number of rounds needed for the lightweight block cipher to be secure against differential and linear cryptanalysis is again obtained as 10 because the maximum differential and linear probabilities of 10-round SPN are bounded by (2-2)5·10=2-100≤2-96.
5. Conclusion
In this study, an algebraic method based on state transform matrix (companion matrix) to construct n×n binary matrices with good implementation properties for lightweight block ciphers and hash functions is given. The proposed method can also be considered as a generalization and different interpretation of the methods given in [12, 13] since it works for any n. For 20×20 and 24×24 binary matrices, examples are provided with good implementation properties. The binary matrices are also constructed to have suitable software and hardware implementation properties for lightweight block ciphers. In other words, by using the proposed method, the matrices have smaller hardware implementations in view of the required number of XOR gates. Note that the binary matrices with these sizes have not been studied in the literature well enough, which may allow us to design a lightweight block cipher with 80-bit and 96-bit block sizes if these matrices are used with 4-bit S-boxes. 20×20 binary matrix given in Example 12 has only one fixed point and branch number 8.
AppendicesA. Inverse of the <inline-formula>
<mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M339">
<mml:mn>20</mml:mn>
<mml:mo mathvariant="bold">×</mml:mo>
<mml:mn>20</mml:mn></mml:math>
</inline-formula> Binary Matrix Given in Example <xref ref-type="statement" rid="ex12">12</xref>
The inverse of the 20×20 binary matrix (BBinary-1) given in Example 12 can be constructed by transforming 4×4 FFHadamard matrix had(C52,C53,C529,C511) into the binary form as given below:(A.1)BBinary-1=0001000100101001001100001000100101011001100100010100001111110100110010100000111100100010010100000111001000001010011101000001000001110010101000101100101111100001100100100101111100000100100100001110100010100100110001000100010101100100001000100000111111100100010110000011110100110010010000011100100010011001110100001000001011001010100001000001111110000100101100100111110000100100100100111010000100100100.
B. Implementation of the <inline-formula>
<mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M345">
<mml:mn>24</mml:mn>
<mml:mo mathvariant="bold">×</mml:mo>
<mml:mn>24</mml:mn></mml:math>
</inline-formula> Binary Matrix Given in Example <xref ref-type="statement" rid="ex13">13</xref>
If the 24×24 binary matrix given in Example 13 is implemented with 4-bit XORs, then DBinary is represented by 4-bit XORs of binary vectors as follows: DBinary·x=y, where x=(x0,x1,…,x31)T and y=(y0,y1,…,y31)T with xi,yi∈GF(24), i=0,1,…,31. Note also that T0,T1,…,T5 are temporary variables used to reduce the number of XOR operations from 240 XOR to 186 XOR. Then,
(B.1)T0=x3⊕x4⊕x13⊕x18,T1=x0⊕x9⊕x14⊕x23,T2=x1⊕x6⊕x15⊕x16,T3=x2⊕x11⊕x12⊕x21,T4=x7⊕x8⊕x17⊕x22,T5=x5⊕x10⊕x19⊕x20,y0=T0⊕x0⊕x1⊕x9⊕x12⊕x17⊕x19⊕x22,y1=T1⊕x2⊕x3⊕x5⊕x10⊕x16⊕x17⊕x22,y2=T2⊕x3⊕x10⊕x11⊕x17⊕x18⊕x20⊕x23,y3=T3⊕x0⊕x7⊕x8⊕x16⊕x17⊕x18⊕x19,y4=T4⊕x2⊕x4⊕x5⊕x13⊕x16⊕x21⊕x23,y5=T0⊕x2⊕x6⊕x7⊕x9⊕x14⊕x20⊕x21,y6=T5⊕x0⊕x3⊕x7⊕x14⊕x15⊕x21⊕x22,y7=T2⊕x4⊕x11⊕x12⊕x20⊕x21⊕x22⊕x23,y8=T3⊕x1⊕x3⊕x6⊕x8⊕x9⊕x17⊕x20,y9=T4⊕x0⊕x1⊕x6⊕x10⊕x11⊕x13⊕x18,y10=T1⊕x1⊕x2⊕x4⊕x7⊕x11⊕x18⊕x19,y11=T5⊕x0⊕x1⊕x2⊕x3⊕x8⊕x15⊕x16,y12=T2⊕x0⊕x5⊕x7⊕x10⊕x12⊕x13⊕x21,y13=T3⊕x4⊕x5⊕x10⊕x14⊕x15⊕x17⊕x22,y14=T0⊕x5⊕x6⊕x8⊕x11⊕x15⊕x22⊕x23,y15=T1⊕x4⊕x5⊕x6⊕x7⊕x12⊕x19⊕x20,y16=T5⊕x1⊕x4⊕x9⊕x11⊕x14⊕x16⊕x17,y17=T2⊕x2⊕x8⊕x9⊕x14⊕x18⊕x19⊕x21,y18=T4⊕x2⊕x3⊕x9⊕x10⊕x12⊕x15⊕x19,y19=T0⊕x0⊕x8⊕x9⊕x10⊕x11⊕x16⊕x23,y20=T1⊕x5⊕x8⊕x13⊕x15⊕x18⊕x20⊕x21,y21=T5⊕x1⊕x6⊕x12⊕x13⊕x18⊕x22⊕x23,y22=T3⊕x6⊕x7⊕x13⊕x14⊕x16⊕x19⊕x23,y23=T4⊕x3⊕x4⊕x12⊕x13⊕x14⊕x15⊕x20.
C. Inverse of <inline-formula>
<mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M357">
<mml:mn>24</mml:mn>
<mml:mo mathvariant="bold">×</mml:mo>
<mml:mn>24</mml:mn></mml:math>
</inline-formula> Binary Matrix Given in Example <xref ref-type="statement" rid="ex13">13</xref> and Implementation Details
The inverse of the 24×24 binary matrix given in Example 13 is constructed from the 6×6 circulant matrix D-1=circ(C411,C414,C414,C42,C49,C415) as follows:(C.1)DBinary-1=011111001100001001011000110000100010001111110100111000010001100101110010111110001000010010110001100001111100110000100101010011000010001000111111001011100001000110010111000111111000100001001011010110000111110011000010111101001100001000100011011100101110000100011001101100011111100010000100001001011000011111001100001111110100110000100010100101110010111000010001010010110001111110001000110000100101100001111100001000111111010011000010000110010111001011100001100001001011000111111000110011000010010110000111001000100011111101001100000100011001011100101110100010000100101100011111.Let DBinary-1·x=y, where x=(x0,x1,…,x31)T and y=(y0,y1,…,y31)T with xi,yi∈GF(24), i=0,1,…,31. Note also that T0,T1,…,T5 are temporary variables used to reduce the number of XOR operations from 240 XORs to 186 XORs. Then,
(C.2)T0=x2⊕x3⊕x8⊕x9,T1=x0⊕x1⊕x18⊕x19,T2=x5⊕x6⊕x7⊕x12,T3=x4⊕x21⊕x22⊕x23,T4=x10⊕x11⊕x16⊕x17,T5=x13⊕x14⊕x15⊕x20,y0=T0⊕x1⊕x4⊕x5⊕x14⊕x17⊕x19⊕x20,y1=T1⊕x6⊕x10⊕x14⊕x15⊕x16⊕x17⊕x21,y2=T1⊕x2⊕x7⊕x11⊕x12⊕x15⊕x17⊕x22,y3=T1⊕x2⊕x3⊕x4⊕x8⊕x13⊕x16⊕x23,y4=T2⊕x0⊕x8⊕x9⊕x13⊕x18⊕x21⊕x23,y5=T3⊕x1⊕x5⊕x10⊕x14⊕x18⊕x19⊕x20,y6=T3⊕x2⊕x5⊕x6⊕x11⊕x15⊕x16⊕x19,y7=T2⊕x3⊕x4⊕x8⊕x17⊕x20⊕x22⊕x23,y8=T4⊕x1⊕x3⊕x4⊕x9⊕x12⊕x13⊕x22,y9=T0⊕x0⊕x1⊕x5⊕x14⊕x18⊕x22⊕x23,y10=T0⊕x1⊕x6⊕x10⊕x15⊕x19⊕x20⊕x23,y11=T0⊕x0⊕x7⊕x10⊕x11⊕x12⊕x16⊕x21,y12=T5⊕x2⊕x5⊕x7⊕x8⊕x16⊕x17⊕x21,y13=T2⊕x2⊕x3⊕x4⊕x9⊕x13⊕x18⊕x22,y14=T2⊕x0⊕x3⊕x10⊕x13⊕x14⊕x19⊕x23,y15=T5⊕x1⊕x4⊕x6⊕x7⊕x11⊕x12⊕x16,y16=T1⊕x6⊕x9⊕x11⊕x12⊕x17⊕x20⊕x21,y17=T4⊕x2⊕x6⊕x7⊕x8⊕x9⊕x13⊕x22,y18=T4⊕x3⊕x4⊕x7⊕x9⊕x14⊕x18⊕x23,y19=T4⊕x0⊕x5⊕x8⊕x15⊕x18⊕x19⊕x20,y20=T3⊕x0⊕x1⊕x5⊕x10⊕x13⊕x15⊕x16,y21=T5⊕x2⊕x6⊕x10⊕x11⊕x12⊕x17⊕x21,y22=T5⊕x3⊕x7⊕x8⊕x11⊕x18⊕x21⊕x22,y23=T3⊕x0⊕x9⊕x12⊕x14⊕x15⊕x19⊕x20.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
Sedat Akleylek is partially supported by OMÜ under the Grant no. PYO.MUH.1904.12.014. The authors thank the anonymous referees for their detailed and very helpful comments and for bringing reference [26] to our attention. The authors also thank Orhun Kara for his valuable comments on the discussion of Remark 7.
ShannonC. E.Communication theory of secrecy systemsKaraahmetoğluO.SakallıM. T.BuluşE.TutănescuI.A new method to determine algebraic expression of power mapping based S-boxesYoussefA. M.TavaresS. E.Affine equivalence in the AES round functionKwonD.SungS. H.SongJ. H.ParkS.Design of block ciphers and coding theoryZ'abaM. R.DaemenJ.RijmenV.FIPS 197BarretoP. S. L. M.RijmenV.The Khazad legacy-level block cipherProceedings of the 1st Open NESSIE Workshop2000AokiK.IchikawaT.KandaM.MatsuiM.MoriaiS.NakajimaJ.TokitaT.Camellia: a 128-bit block cipher suitable for multiple platforms—design and analysis2012Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography (SAC '00)20003956Lecture Notes in Computer ScienceKwonD.KimJ.ParkS.New block cipher: ARIANakaharaJ.Jr.AbrahãoÉ.A new involutory MDS matrix for the AESAslanB.SakallıM. T.Algebraic construction of cryptographically good binary linear transformationsSakallıM. T.AslanB.On the algebraic construction of cryptographically good 32×32 binary linear transformationsBeaulieuR.ShorsD.SmithJ.Treatman-ClarkS.WeeksB.WingersL.The simon and speck families of lightweight block ciphersYapH.KhooK.PoschmannA.HenricksenM.EPCBC—a block cipher suitable for electronic product code encryptionKarakocF.DemirciH.HarmanciA. E.ITUbee: a software oriented lightweight block cipherStandaertF. X.PiretG.GershenfeldN.QuisquaterJ.-J.SEA: a scalable encryption algorithm for small embedded applicationsMcElieceR. J.LidlR.NiederreiterH.CourtoisN. T.BardG. V.WagnerD.Algebraic and slide attacks on KeeLoqVaudenayS.Related-key attack against triple encryption based on fixed pointsProceedings of the International Conference on Security and Cryptography (SECRYPT '11)July 201159672-s2.0-80052469921BayA.MashatanA.VaudenayS.A related-key attack against multiple encryption based on fixed pointsDinurI.DunkelmannO.ShamirA.Improved attacks on full GOSTBosmaW.CannonJ.PlayoustC.The Magma algebra system I: the user languageKooB. W.JangH. S.SongJ. H.On constructing of a 32×32 binary matrix as a diffusion layer for a 256-bit block cipherHongS.LeeS.LimJ.SungJ.CheonD.ChoI.Provable security against differential and linear cryptanalysis for the SPN structureSaarinenM.-J. O.Cryptographic analysis of all 4×4-bit S-boxes